Adobe fixes Flash privacy panel so hackers can’t check you out

Yesterday, Adobe made changes to a page on an Adobe website that controls Flash user’s security settings—or more specifically, to the Flash .SWF file embedded in the page that opens the Flash website privacy settings panel. The changes are intended to prevent a clickjacking attack that uses the file to activate and access users’ webcams and microphones to spy on them.

The change comes a few days after a Stanford student revealed the vulnerability on his website. Feross Aboukhadijeh posted the exploit, along with a demo and a video demonstration, on October 18. He said in a blog post that he had notified Adobe weeks earlier of the problem, reporting the vulnerability to Adobe through the Stanford Security lab.

The exploit demonstrated by Aboukhadijeh uses an elaborate clickjack “game” that overlays the SWF panel over buttons in a transparent IFRAME. Here’s a screenshot of the panel before Adobe’s changes:

Through a series of clicks, the exploit was able to clear the privacy settings for Flash’s web camera controls and then authorize a new site to activate and access the camera video.The changes did not prompt any pop-ups or other user notifications.

The changes made by Adobe are to the behavior of the widgets in the privacy settings panel. Here’s a screenshot of the new panel, after the exploit was attempted :

While my test of the exploit still added feross.com to my list of sites in the privacy panel, it was only successfully added with an “always ask” setting for establishing a video link.